What You'll Learn
HTTP/HTTPS protocol internals — request/response cycle, methods, status codes, headers, cookies, TLS handshake, HTTP/2 vs HTTP/3, and practical debugging with curl.
The HTTP Request/Response Cycle
HTTP Request
GET /api/users?page=1 HTTP/1.1
Host: api.example.com
Authorization: Bearer eyJhbGci...
Accept: application/json
Content-Type: application/json
User-Agent: Mozilla/5.0 (...)
Connection: keep-alive
Cache-Control: no-cache
{body here for POST/PUT}HTTP Response
HTTP/1.1 200 OK
Content-Type: application/json
Content-Length: 1234
Cache-Control: max-age=300
X-Request-ID: abc123-def456
Set-Cookie: session=xyz; HttpOnly
Strict-Transport-Security: max-age=31536000
{"users": [...], "total": 100}HTTP Methods
| Method | Purpose | Body | Idempotent |
|---|---|---|---|
| GET | Retrieve resource | No | ✅ Yes |
| POST | Create resource | Yes | ❌ No |
| PUT | Replace entire resource | Yes | ✅ Yes |
| PATCH | Partial update | Yes | ❌ No |
| DELETE | Remove resource | Optional | ✅ Yes |
| HEAD | Like GET but no body (metadata only) | No | ✅ Yes |
| OPTIONS | CORS preflight, allowed methods | No | ✅ Yes |
HTTP Status Codes
2xx — Success
200 OK201 Created204 No Content206 Partial Content3xx — Redirects
301 Moved Permanently302 Found (temp redirect)304 Not Modified (cache)307 Temporary Redirect4xx — Client Errors
400 Bad Request401 Unauthorized403 Forbidden404 Not Found429 Too Many Requests5xx — Server Errors
500 Internal Server Error502 Bad Gateway (upstream error)503 Service Unavailable504 Gateway TimeoutHTTPS & TLS Handshake
1
1. Client Hello
Client sends supported TLS versions, cipher suites, and a random number.
2
2. Server Hello
Server picks TLS version + cipher, sends its SSL certificate and a random number.
3
3. Certificate Verification
Client verifies server certificate against trusted CAs. Extracts server's public key.
4
4. Key Exchange
Client generates a pre-master secret, encrypts it with server's public key, sends it.
5
5. Session Keys
Both sides derive session keys from the pre-master secret + both random numbers.
6
6. Finished
Both sides send "Finished" message encrypted with session key. Secure channel established!
curl — Your HTTP Swiss Army Knife
bash — curl reference
# Basic GET
curl https://api.example.com/users
# With headers
curl -H "Authorization: Bearer TOKEN" \
-H "Accept: application/json" \
https://api.example.com/users
# POST with JSON body
curl -X POST \
-H "Content-Type: application/json" \
-d '{"name":"John","email":"john@example.com"}' \
https://api.example.com/users
# Show response headers only
curl -I https://example.com
# Show request + response headers (verbose)
curl -v https://example.com
# Follow redirects
curl -L https://example.com
# Save to file
curl -o output.json https://api.example.com/data
# HTTP timing breakdown (useful for perf testing!)
curl -w "\n\nDNS: %{time_namelookup}s\nConnect: %{time_connect}s\nTLS: %{time_appconnect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\n" \
-o /dev/null -s https://example.com
# Test with custom Host header (useful for testing behind load balancer)
curl -H "Host: api.example.com" http://10.0.0.5/health
# Test SSL certificate
curl -vI https://example.com 2>&1 | grep -E "subject|issuer|expire"Important HTTP Headers
| Header | Purpose | Example |
|---|---|---|
| Content-Type | Body format | application/json |
| Authorization | Auth credentials | Bearer <token> |
| Cache-Control | Caching directives | max-age=3600, no-cache |
| CORS: Access-Control-Allow-Origin | Cross-origin permissions | https://app.example.com |
| Strict-Transport-Security | Force HTTPS (HSTS) | max-age=31536000 |
| X-Forwarded-For | Real client IP (via proxy) | 203.0.113.195 |
| Content-Security-Policy | Prevent XSS attacks | default-src 'self' |